OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andre Solheim (andre.solheimbroadpark.no)
Date: Fri Jun 21 2002 - 14:36:59 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Copyright by Andre L. Solheim: 2002
    MIME-Version: 1.0
    Content-Transfer-Encoding: quoted-printable
    Message-Id: <200206212136.59578.andre.solheimbroadpark.no>

    Hi

    This time I have enclosed the pf.conf file that I use. When ever I load t=
    his=20
    the problem comes back. and when I reload a blank pf.conf the problem is=
    =20
    away. It must be something wrong with the rule set.

    # Packet firewalling rules by Andr =E9 Solheim -A
    # 21.06.2002
    # basis for this ruleset is by Jacek Artymiak in his
    # artickles in the series Securing networks with OpenBSD on
    # www.onlamp.com
    #################################################################
    # define variables
    External=3D"xl0"
    Private=3D"fxp1"
    DMZ=3D"fxp0"
    NoGoIPs=3D"{ 192.168.0.0/16, 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8, 0.0.=
    0.0/8,=20
    169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }"
    PrivateIPs=3D"172.16.0.0/20"
    DMZIPs=3D"172.16.16.0/20"
    #################################################################
    # normalize packets
    scrub in all
    #################################################################
    # stop all IPv6 traffic
    block in quick inet6 all
    block out quick inet6 all
    #################################################################
    # pass everything on loopback (lo0)
    pass in quick on lo0 all
    pass out quick on lo0 all
    #################################################################
    # Internet (xl0)
    # prevent spoofing of non-routable addresses
    block in quick on $External from $NoGoIPs to any
    block out quick on $External from any to $NoGoIPs
    # stop all incoming packets
    block in on $External all
    # pass in on $External inet proto { tcp, udp } from any to 172.16.16.2/32=
     port=20
    smtp keep state
    pass in on $External inet proto { tcp, udp } from any to 172.16.16.2/32 p=
    ort=20
    www keep state
    # block all outgoing packets
    block out on $External all
    # allow TCP IPv4 connections to the outside world, keep state
    pass out on $External inet proto tcp all flags S/SA modulate state
    pass out on $External inet proto { udp, icmp } all keep state
    #################################################################
    # private network (fxp1)
    # prevent spoofing of non-routable addresses
    # block in quick on $Private from ! $PrivateIPs to any
    # block out quick on $Private from any to ! $PrivateIPs
    # stop all incoming and outgoing packets
    block in on $Private all
    block out on $Private all
    # allow TCP IPv4 connections to the outside world, keep state
    pass in on $Private inet proto tcp from $PrivateIPs to any flags S/SA mod=
    ulate=20
    state
    pass in on $Private inet proto { udp, icmp } from $PrivateIPs to any keep=
    =20
    state
    #################################################################
    # DMZ network (fxp0)
    # prevent spoofing of non-routable addresses
    block in quick on $DMZ from $DMZIPs to any
    block out quick on $DMZ from any to $DMZIPs
    # stop all incoming and outgoing packets
    block in on $DMZ all
    block out on $DMZ all
    # allow TCP IPv4 connections to the outside world, keep state
    pass in on $DMZ inet proto tcp from $DMZIPs to any flags S/SA modulate st=
    ate
    pass in on $DMZ inet proto { udp, icmp } from $DMZIPs to any keep state
    block in on $DMZ inet from $DMZIPs to $PrivateIPs
    pass out on $DMZ inet proto tcp from any to $DMZIPs flags S/SA modulate s=
    tate
    pass out on $DMZ inet proto { udp, icmp } from any to $DMZIPs keep state

    On Friday 21 June 2002 09:36, Kekes Stamatis wrote:
    > First of all have you enabled the packet forwarding ?
    > if you did that then I don't know if you placed any route entry to the
    > hop of your network to route the packets for the network that is locate=
    d
    > behind the firewall in the firewall.
    > for example if you have a central hop with ip 192.168.0.1 and your firs=
    t
    > subnet is 192.168.0.0/24 and the network behind the firewall is the
    > 192.168.1.0/24 and your firewalls "front" nic has 192.168.0.3 ip addres
    > you have to add in the hop a static route that routes packets having
    > destination the network 192.168.1.0/24 must been forwarded to
    > 192.168.0.3 which knows better how to manage theese packets.
    > I'll be glad to help you more if you provide any network configuration
    > sample and what you have done in your firewall
    > Best regards
    > Stamatis Kekes
    > Technical Director of KosmosLink LTD
    > mailto:skekeskosmoslink.gr
    > http://www.kosmoslink.gr
    >
    > Andre Solheim wrote:
    > >Copyright by Andre L. Solheim: 2002
    > >MIME-Version: 1.0
    > >Content-Transfer-Encoding: quoted-printable
    > >Message-Id: <200206210024.12142.andre.solheimbroadpark.no>
    > >
    > >Hi
    > >I've just installed an OpenBSD machine as firewall in my network. It h=
    as =3D
    > >3=3D20
    > >nics. On as external interface, one for my DMZ and one for my internal=
    =3D20
    > >network.
    > >When I am logged in on the firewall, I can ping machines on my interna=
    l=3D20
    > >network and on the internet. But I am unable to ping machines in the D=
    MZ.
    > >I get the message "No route found to host", but when I run the route s=
    how=3D
    > >=3D20
    > >command i have a route to my DMZ (172.16.16.0, and the gateway is=3D20
    > >172.16.16.1)
    > >Anyone know how I can resolv this?
    > >--=3D20
    > >Sincere regards
    > >
    > >Andr=3DE9 L. Solheim
    > >__________________________________________________________________
    > >"Imagine a school with children =3D20
    > > that can read and write, but with teachers who cannot, and you =3D20
    > > have a metaphor of the Information Age in which we live." =3D20
    > > Peter Cochrane.

    --=20
    Sincere regards

    Andr=E9 L. Solheim
    __________________________________________________________________
    "Imagine a school with children =20
     that can read and write, but with teachers who cannot, and you =20
     have a metaphor of the Information Age in which we live." =20
                                                         Peter Cochrane.

    __________________________________________________________________
    Confidentiality Notice

    The content of this e-mail is intended for the confidential use of the
    person(s) to whom it is addressed. If the reader of this message is not s=
    uch
    a person, you are hereby notified that you have received this communicati=
    on
    in error and that reading it, or in any way disseminating its content to =
    any
    other person, is strictly prohibited. If you have received this message i=
    n
    error, please notify the author by replying to this e-mail immediately, a=
    nd
    subsequently delete all of its content.